4

First, I know that there is no 100% sure solution, and this question have been ask more than once.

These posts are my favorites first and second but they are too old without enough effective solutions.

I'm creating a social game in JavaScript, HTML5 and CSS3 and I use canvas. For security reasons I wanted to know how to detect if a user is using his debugger tool. To prevent if a user is trying to change some value, speed etc.. but I can handle most of these stuff with PHP.

My game is a real-time game.

This is the non-exhaustive list of some anti-cheat ideas:

  • Check values every time he earns points on server side to see if it's consistent.
  • Crypt each value then decrypt it on server side.
  • Have a different Hash for each value and make it random each time a user load the game.
  • Minify and Encode my whole script file.
  • Detect if a user is using a debugger and check if he is resizing his window during the game (but he could open his debugger before loading the game so..).
  • Make the page submit a complete replay of the game and check for inconsistencies.
  • for each request to the server, send the script and compare it with the original script in case user has modified it.
  • Put the script minified inside my html page and for each request, send back the orignal script to replace the actual one.
  • Put a timer on client side, send the time on server side when you want in order to check if values are consistent (to do it you could calculate if the score match a minimum time you have set, e.g: the time is at 47sec, the score is 1000 and for your game between 40sec && 50sec the score can not be more than 1500 so in this case all is fine).

Of course there is many more solutions to list.

For each solution, he will have access to his debugger tool. There is no proper way to totally prevent the use of a debugger tool. So there is no way to prevent at 100% a user not to cheat.

At least you can make an almost anti-cheat by grouping all of these solutions together. Even if you don't have a full working system, only a small part of your users will cheat, and you can be sure that you will find tutoriel about how to cheat on your game, so you'll be able to find solution each time it happens.

Community
  • 1
  • 1
KeizerBridge
  • 2,707
  • 7
  • 24
  • 37
  • 2
    If you're going to trust the client, you're going to have to accept it can be made to lie to you. – TZHX Feb 13 '15 at 13:43
  • The only safe way is to make the client send commands to the server, the server does game computations, and sends a view back to the client. Only way to cheat then is to have an AI. Of course, there are drawbacks to this method – Suppen Feb 13 '15 at 13:44
  • 2
    You cannot secure the client against the client, and you have precisely zero right to expect the client to report his, her or its actions to you or your app. – David Thomas Feb 13 '15 at 13:44
  • My game will be a freemium game. So I can't trust anyone especially if there is money at stake. I need concret ideas in fact, for me and others, because there is not enough stuff about this on the internet.. – KeizerBridge Feb 13 '15 at 13:44
  • 1
    Is the game real time? Turn based? Asynchronous turn based? – Suppen Feb 13 '15 at 13:46
  • Yes it's a real time – KeizerBridge Feb 13 '15 at 13:46
  • the top answer of the second favorite post you mention has the best answer here. Don't dismiss it because the answer was old, or that the solution (validate everything on the server, don't rely on the client to tell the truth) is difficult to implement. It is the correct answer here. If money is involved, the only way to go is complete server side validation. – Marijn van Vliet Feb 13 '15 at 13:47
  • Yes I agree Rodin. When I say it's too old, May be there are new solutions now, and I think It's a real important answers. Even if people will close this answer. – KeizerBridge Feb 13 '15 at 13:49
  • if you want to trust only on js you have to do spaghetti code, hard to read and modify and you can also monitor if core functions in your app are changing but that's not solving your problem imo, because if you won't validate it on server side someone can do just a save result request with best score – szapio Feb 13 '15 at 13:51
  • 1
    You can make it very difficult to meddle with your scripts, but determined people *will* be able to make sense of it... especially if there is money involved. What you need is some server solution to keep the client honest (validating results and stuff like that). – Sverri M. Olsen Feb 13 '15 at 13:51
  • PHP is a crappy tool to make real time stuff in. I would recommend using some proper language on the server, which runs continuosly. PHP just wakes up on request, and goes back to sleep after it's done. Take a look at NodeJS or the Meteor framework (also JS), which will make it much easier to make real time stuff with the server involved, even multiplayer – Suppen Feb 13 '15 at 13:51
  • 1
    Websockets are also a must – Suppen Feb 13 '15 at 13:53
  • Suppen, you're right, PHP is the paradoxal easy way to use server side.. But PHP will be the one for this time. – KeizerBridge Feb 13 '15 at 13:54

0 Answers0